Error validating user via ntlm
LOCAL -mapuser mwg-kerb-user -pass password -ptype KRB5_NT_PRINCIPAL -crypto All -out mandarin.vegas.local.keytab As of version Web Gateway 7.3, there is no need to add additional SPNs via the CLI.This document was written to assist with setting up Web Gateway to perform Kerberos for Proxy Authentication.It also provides background information on the different processes involved with Kerberos, the information in this document should shed light on all of the complexities involved with the protocol.This ruleset is the framework for which we can mold to our needs.Prior to adding the ruleset, you must solve any existing conflicts that may exist.Under the Policy, click the left-most "Add" button and select "Rule Set from Library...".
Once on the "Add from Rule Set Library" dialog, find the "Direct Proxy Authentication and Authorization" ruleset.
Within your Kerberos engine settings, you must enable the option for "Extract group membership IDs from the ticket" and "Lookup group names via NTLM".
You must set both options in order to reference groups by name, otherwise if "Lookup group names via NTLM" is unchecked, you can only use the SID of the group (which isnt very memorable).
This document is the extended Kerberos guide which includes full background and context.
If you do not have hours to read through this guide, please check out the simplified Kerberos guide: , please also check out the a tool meant to simplify the Kerberos setup process.
Get User Groups" to actively seek out or the user groups. Get User Groups" property essentially tells the Web Gateway to check against the specified Directory (in this case "LDAP - Vegas (AD)"). User Groups, which would be filled with the group information if the Authentication type allows for group information to be passed back.